SOCWarden

How SOCWarden Works

A security ingestion engine. 15 threat feeds, 7 OSINT APIs, 3 LLM providers. Real-time risk scoring. All from a single POST /v1/events call.

Concept

Think of it like your home security

Your firewall is the front door lock. SOCWarden is the motion detector, the camera system and the alarm, watching everything that happens inside.

The Perimeter (WAF, Cloudflare)

What you already have

Your WAF and firewall block known-bad traffic at the door. Rate limiting, IP blocking, bot filtering. Essential, but it only sees the perimeter.

Inside: SOCWarden

What gets through the perimeter

SOCWarden watches what happens after traffic reaches your application. Login failures from Tor nodes, impossible travel, credential spraying and privilege escalation. All detected and scored in real time.

The invisible work — what happens after you call the API
POST /v1/events received
1Realtime Enrichment
<1ms in-process
MaxMind GeoIP lookup
User-Agent parsing
Tor / VPN / proxy detection
ASN datacenter classification
Request anomaly scan
Disposable email detection
2Threat Intelligence Feeds
<10ms single query
feedSpamhaus DROP / XBL
feedFeodo Tracker (botnet C2s)
feedEmerging Threats (ET) rules
feedCINS Army score
feedblocklist.de attack reporters
feedGreenSnow bad actors
feedURLhaus (malware URLs)
feedMyCERT (Malaysian CERT)
feedTor exit node list
feedVPN / proxy CIDR ranges
260k+ threat indicators matched per event
3Async OSINT Lookup
fire-and-forget async
AbuseIPDB confidence score
GreyNoise noise / RIOT classification
Shodan InternetDB (open ports + CVEs)
Pulsedive threat intelligence
Have I Been Pwned (HIBP) breach check
WHOIS domain registration lookup
CISA Known Exploited Vulnerabilities (KEV)
LLM alert summary + event classification
0 – 100
composite risk score
MITRE ATT&CKOWASP Top 10LLM summary

Getting started

Up and running in 2 minutes

One SDK install. One function call. Full threat intelligence.

1

Create your free account

Sign up at app.socwarden.com. No credit card required. You get an API key instantly.

2

Install the SDK and add your API key

Works with Laravel, Node.js, Python, Go, Browser or the raw HTTP API. Each SDK auto-collects IP, user agent and request context.

Terminal
# Laravel
composer require soc-warden/laravel-sdk

# Node.js
npm install @socwarden/node

# Python
pip install socwarden

# Go
go get github.com/soc-warden/go-sdk
3

Place API calls at the right spots in your app

Track security-relevant events: logins, admin actions, API key changes, password resets. Use structured event types like auth.login.success.

AuthController.php
use SOCWarden\Facades\SOCWarden;

// After a login attempt
SOCWarden::track(
    event: 'auth.login.success',
    actor: $user,
);

// After an admin action (fluent builder)
SOCWarden::event('admin.settings.updated')
    ->actor($admin)
    ->meta('setting', 'billing')
    ->send();

// After a sensitive operation
SOCWarden::track(
    event: 'data.exported',
    actor: $user,
    resource: 'customers',
    metadata: ['format' => 'csv', 'rows' => 15000],
);
4

SOCWarden enriches what happens inside your app

Every event is asynchronously enriched with GeoIP, 15 threat feeds, 7 OSINT APIs, behavioral detection, risk scoring and MITRE ATT&CK mapping. Your app never waits.

5

Get alerted the moment something suspicious happens

Alerts fire via Email, Telegram, Slack, Discord, PagerDuty or webhook. Smart grouping and deduplication reduce noise. Each alert includes LLM-generated summaries explaining what happened and why.

Risk scoring

Composite score: 0-100

Every signal adds to the composite risk score. Threat level: 0-24 (low), 25-49 (medium), 50-74 (high), 75-100 (critical).

Risk Signal Examples
auth.login.failure (base)+10
Tor exit node match+40
Spamhaus DROP match+50
Brute force (5 in 5m)+25
Impossible travel detected+50
AbuseIPDB >90% confidence+30
VPN detected+10
New country (first time)+20
Sanctioned country+40
SQLi payload detected+20

How we derive each point value

NIST SP 800-30 Rev 1OWASP Risk RatingCVSS v3.1

The methodology follows the same two-axis model used by NIST SP 800-30 and the OWASP Risk Rating Methodology: likelihood × impact. We split likelihood into two observable signals — confidence and rarity — giving three factors per signal. The additive, capped scoring model mirrors CVSS v3.1.

The specific point values are calibrated in-house from feed provider documentation (Spamhaus publishes false positive rates for DROP/XBL; AbuseIPDB publishes confidence thresholds) and SOC analyst heuristics — the same approach used by Splunk ES, IBM QRadar, and Microsoft Sentinel for risk-based alerting. No single paper dictates these numbers; the framework is standardised, the weights are reasoned.

1Signal confidence

How reliably does this signal indicate malicious intent, with few false positives?

NIST: Threat Event Likelihood

Spamhaus DROP+50 — near-zero FP
VPN detected+10 — many legit uses
2Worst-case severity

If this is a real attack, how serious is the potential damage?

NIST: Adverse Impact / CVSS: Impact Score

Impossible travel+50 — account takeover
SQLi payload+20 — probing, may fail
3Behavioral rarity

How uncommon is this in normal, legitimate user activity?

OWASP: Ease of Discovery / Intrusion Prevalence

Tor exit node+40 — almost never legit
New country login+20 — travel is plausible

Example: A login from a Tor exit node on a Spamhaus-listed IP with 5 failed attempts in 3 minutes scores +10 (base) + +40 (Tor) + +50 (Spamhaus) + +25 (brute force) = 125 → capped at 100 (critical). Each signal is independent — they stack, and the final score is clamped to 100.

How base scores are set

Each of the 48 tracked event types carries a pre-computed base risk score reflecting the inherent severity of that action — independent of who performed it or from where. Scores follow a 0–60 scale based on worst-case attack impact if the action is malicious. They stack additively with threat feed matches and behavioral signals to form the final 0–100 composite.

High base (40–60)
server.container.escape_attempt+60
server.log.tampered+50
server.log.cleared+45
auth.mfa.bypass_attempted+40
Medium base (10–35)
server.process.suspicious+35
admin.user.impersonated+25
account.role.changed+20
server.firewall.rule_removed+15
Low base (0–8)
data.accessed+5
auth.session.revoked+5
api.request.failed+3
auth.token.refreshed+0

A base-0 event can still reach critical risk if it matches a Tor exit node, Spamhaus listing, or triggers impossible travel.

Server agent

One sensor is not enough

Application events cover your code. The SOCWarden agent covers your infrastructure: SSH access, file changes, process execution and Docker events. All shipping to the same API.

SSH Monitoring

Tracks all SSH login attempts, successful and failed. Detects root login, key-based vs password auth.

File Integrity

Monitors critical paths (/etc/passwd, /etc/shadow, config files) for unauthorized modifications.

Process Monitoring

Detects new processes, privilege escalation and suspicious binaries like cryptominers or reverse shells.

Docker Events

Watches container lifecycle, including starts, stops, exec commands and volume mounts. Detects container escape attempts.

Starter: 2 agents|Pro: 10 agents + Docker|Business: Unlimited

Detection

What does SOCWarden actually detect?

50 detection types: 36 behavioral (auth, session, geo, ML, server, container), 9 request anomaly categories (SQLi/XSS/CMDi/SSRF/etc.), and 5 kill-chain compounds. Every alert mapped to MITRE ATT&CK — 55 unique technique IDs across 33 parent and 22 sub-techniques.

Brute Force

T1110.001

5+ failed login attempts within 5 minutes by actor or IP. Catches password guessing and automated credential attacks.

Impossible Travel

T1078

Logins from locations that would require >800 km/h travel speed. Haversine distance calculation between consecutive logins.

Credential Spray

T1110.003

Same failure pattern across 10+ distinct actors from the same /24 subnet. Catches distributed password spraying campaigns.

Geo-Anomaly

T1078.004

First login from a new country or a sanctioned country. Tracks per-actor country history over a 14-day rolling window.

Session Anomaly

T1563

3+ concurrent IPs on one session, or session created + role change within 5 minutes. Detects session hijacking.

Time-of-Day Baseline

T1078

14-day rolling baseline of per-actor login hours. Admin actions outside normal hours add +10 risk. Catches off-hours compromise.

Account Takeover Chain

T1531

New-country login → email change → password change within 2 hours. Detects the full account takeover sequence as a single high-confidence kill chain.

Data Exfiltration Chain

T1567

data.accessed → data.exported → data.downloaded within 1 hour. Detects staged data theft sequences even when each individual event looks low-risk.

Request Attack Patterns

T1190

Real-time payload scanning for SQLi, XSS, path traversal, command injection, SSRF, LDAP injection, and open redirect. Scores each match against OWASP Top 10.

Ready to add SOCWarden to your app?

Free tier. No credit card. Full threat intelligence from day one.